From there the victim is delivered to a malware landing page at [donotclick]adelect.com/topic/latest-blog-news.php which follows a predictable pattern of being a hijacked GoDaddy domain hosted on 66.150.155.210 (Nuclear Fallout Enterprises, US). There are some other hijacked domains on this same server listed below in italics.

Please find attached the remittance 2982780. If you are unable to open the attached file, please reply to this email with a contact telephone number. The Finance Dept will be in touch in due course. Jed_GregoryChase Private Banking Level III Officer3 Times SquareNew York, NY 10036T. 212.525.8865F. 212.884.2034

The attachment is in the format Docs_victimdomain.com.zip which contains an executable Docs_08222013_218.exe (note that the date is encoded into the file). The VirusTotal detection rate for this is a moderate 16/46. The Malwr analysis shows that this is a Pony/Gate downloader which attempts to connect to the following URLs:[donotclick]watch-fp.ca/ponyb/gate.php[donotclick]www.jatw.pacificsocial.com/VSMpZX.exe[donotclick]richardsonlookoutcottages.nb.ca/Q5Vf.exe[donotclick]idyno.com.au/kvdhx2.exe

The downloader then downloads a second part with a much lower detection rate of 6/46. This appears to be a Zbot variant, and the Malwr analysis for that component is here.

The Pony/Gate component is hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) and is a hijacked GoDaddy domain, one of several on that server and listed below in italics.

Nothing good will come from clicking the link. First victims go to a legitimate but hacked site that attempts to load the following three scripts:[donotclick]gemclinicstore.com/admitted/tintinnabulations.js[donotclick]mathenyadvisorygroup.com/toffies/ceiling.js[donotclick]www.it-planet.gr/schlepped/suitor.js

From there the victim is directed to a malware landing page at [donotclick]thenatemiller.co/topic/able_disturb_planning.php (.co, not .com) which is a hijacked GoDaddy domain hosted on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with several other hijacked domains (listed below in italics).

Gene Maynard wants to be friends with you on Facebook.
University of Houston, Victoria
342 friends - 28 photos
Confirm Request

See All Requests
This message was sent to [redacted]. If you don't want to receive these emails from Facebook in the future, please click: unsubscribe.
Facebook, Inc. Attention: Department 415 P.O Box 10005 Palo Alto CA 94303

This is a "ThreeScripts" attack, with the link first going to a legitimate hacked site and then through one of the following three scripts:[donotclick]ftp.crimestoppersofpinellas.org/jonson/tried.js[donotclick]italiangardensomaha.com/moocher/pawned.js[donotclick]www.it-planet.gr/schlepped/suitor.js

From there, the victim ends up on a hijacked GoDaddy domain with a malicious payload at [donotclick]dennissellsgateway.com/topic/able_disturb_planning.php on 72.5.102.146 (Nuclear Fallout Enterprises, US) along with some other hijacked domains (listed in italics below).

To view details for a specific transaction, please log into the Merchant Interface.

1.Click "Reports" from the main menu2.Select "Transaction Details by Settlement Date"3.Select "Settled Transactions" from the Item Type drop-down box.4.Select the Settlement Date for the batch you would like to view from the "Date" drop-down box5.Click "Run Report"6.In the results, click on any transaction ID to view specific details for that transaction.

If you have any questions regarding this settlement report, please contact us by Secure Mail or you can call Customer Support at 1-877-447-3938.

Thank You,Authorize.Net*** You received this email because you chose to be a Credit Card Reportrecipient. You may change your email options by logging into the MerchantInterface. Click on Settings and Profile in the Main Menu, and selectManage Contacts from the General section. To edit a contact, click theEdit link next to the contact that you would like to edit. Under EmailTypes, select or deselect the Email types you would like to receive. ClickSubmit to save any changes. Please do not reply to this email.

The link in the email goes to a legitimate hacked site and then loads one or more of these three scripts:[donotclick]ftp.hotwindsaunausa.com/clingy/concord.js[donotclick]katchthedeal.sg/stilling/rifts.js[donotclick]ftp.navaglia.it/gazebo/cowboys.js

The victim is then forwarded to a malware landing page using a hijacked GoDaddy domain at [donotclick]hubbywifewines.com/topic/able_disturb_planning.php hosted on 72.5.102.192 (Nuclear Fallout Enterprises, US) along with another hijacked domain of hubbywifefoods.com.

The email has an attachment called report_625859705821.zip which in turn contains an exectuable report_{DIGIT[12]}.exe (which presumably is an error) which has a VirusTotal detection rate of 9/46. The Malwr report shows that this malware does various things, inclding an HTTP request to a hijacked GoDaddy domain at [donotclick]hubbywifeco.com/forum/viewtopic.php hosted on 66.151.138.80 (Nuclear Fallout Enterprises, US) which is shared with another hijacked domain, hubbywifecakes.com.

From there, another executable is downloaded from one of the following locations:[donotclick]208.106.130.52/39UvZmv.exe[donotclick]demoscreactivo.com/DKM9.exe[donotclick]roundaboutcellars.com/Utuw1.exe[donotclick]bbsmfg.biz/VKPqrms.exe

This executable has an even lower detection rate of just 5/46. You can see the Malwr report for thathere.

Blocking EXE-in-ZIP files like this at your perimeter is an excellent idea if you can do it.

Revenues notification email
This is an automated email - please do not reply!

Dear customer!

You are receiving this notification because of you have been received the payment.
It may take a some time for this transaction to appear in the Recent Activity list on your account page.

Transaction details

Transaction sum: 110 USD
Transaction date: 2013/08/02

View the details of this transaction online

Thank you for using MoneyGram services!

MoneyGram ® 2013

Payload is on [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php via [donotclick]new.hotelniles.com/xd2iqku.html and some intermediate scripts.

More analysis later..

Part II

OK, I have a little more time to look at this. Here is the screenshot:

Clicking the link takes you to a "ThreeScripts" page, but subtly different from previous ones, leading to scripts at:[donotclick]nutnet.ir/dl/nnnew.txt[donotclick]www.emotiontag.net/cp/nnnew.txt[donotclick]aurummulier.pl/nnnew.txt

These scripts use a ".txt" extenstion, presumably to fool AV scanners.

The next step is a kind of weird Javascript leading to a malware page at [donotclick]drstephenlwolman.com/topic/sessions-folk-binds.php hosted on 74.91.118.212 (Nuclear Fallout Enterprises, US).

The domain in question is a hijacked GoDaddy domain.The payload is hardened against analysis. There will almost definitely be other hijacked domains hosted on this server, blocking access to it might be a good idea.

Attached file is scanned image in PDF format.
Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/

In this case there is an attachment SCAN_129_07082013_18911.zip containing an executable file SCAN_129_07082013_18911.exe (note that the date is encoded into the file). VirusTotal detections are 26/47 and identify it as a generic downloader, Comodo CAMAS reports that it is a Pony downloader that attempts to contact 2ndtimearoundweddingphotography.com which appears to be a hijacked GoDaddy domain.

As is common at the moment, there are a bunch of related hacked GoDaddy domains on a random (non-GoDaddy) server, in this case 64.94.100.116 (the somewhat notorious Nuclear Fallout Enterprises). All these domains should be treated as malicious according to reports from URLquery and VirusTotal.

This second file has a much lower detection rate at VirusTotal of just 3/47 (and they are all generic at that). The ThreatExpert report [pdf] gives more details of the malware plus some connection attempts, and Anubis reports something similar. They all appear to be dynamic ADSL addresses and probably not worth trying to block.

* The reference number for this fax is min1_did27-5667781893-3154150936-31.

View this fax using your PDF reader.

Click here to view this message

Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.Thank you for using the eFax service!Home Contact LoginPowered by j22013 j2 Global Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global Communications, Inc.This account is subject to the terms listed in the eFax Customer Agreement.

The spam leads to an exploit kit on [donotclick]13.carnovirious.net/read/persons_jobs.php hosted on 74.91.117.49 by Nuclear Fallout Enterprises. You should probably block 74.91.117.50 as well.

The following domains are on these two IPs:
13.jonemnominik.net13.lomerdaster.net13.zabakarvester.net13.carnovirious.net13.blumotorada.net

Friday, 23 November 2012

This bunch of IPs and domains are being used in a series of fairly well-targeted attacks involving malicious spam messages that look like they come from real financial organisations (such as this one). The payload is apparently "Ponyloader".

The domains seem to be legitimate but hacked, and in some cases the server infrastructure also looks like it is something legitimate that has been taken over by the bad guys. However, the chances are that you are more likely to see these sites as the result of a malicious spam run rather than anything else, and you should consider blocking them.

The malicious payload is on [donotclick]cowonhorse.co/links/observe_resources-film.php hosted on 74.91.118.239 (Nuclearfallout Enterprises, US). Nuclearfallout have hosted sites like this several times before. In my opinion, blocking ALL emails that appear to be from LinkedIn would probably benefit your business.

The goo.gl redirector goes to shfd19za.roversmolina.ru (multihomed, see below) and then ends up on a malicious page at 66.151.138.87/showthread.php?t=72d268be707a5fb7 (Nuclear Fallout Enterprises, US again).

email us at mktplace_customerservice@intuit.com.
call us at 1-800-955-8890.
reorder intuit checks quickly and easily starting with
the information from your previous order.

to help us better serve your needs, please take
a few minutes to let us know how we are doing.
submit your feedback here.

thanks again for your order,

intuit market customer service

privacy , legal , contact us , about us

you have received this business communication as part of our efforts to fulfill your request or service
your account. you may receive this and other business communications from us even if you have opted
out of marketing messages.

please note: this e-mail was sent from an auto-notification system that cannot accept incoming email
please do not reply to this message.

if you receive an email message that appears to come from intuit but that you suspect is a phishing
e-mail, please forward it immediately to spoof@intuit.com. please visit http://security.intuit.com/ for
additional security information.

Dear Business owner,
Hereby you are informed that your Tax Return Appeal id#8179621 has been DECLINED. If you consider that the IRS did not properly assess your case due to a misunderstanding of the facts, be prepared to submit additional information. You can download the rejection details and re-submit your appeal under the following link Online Tax Appeal.

In both cases the payload is trucktumble.com/search.php?page=73a07bcb51f4be71 on 64.94.238.71 (Nuclear Fallout Enterprises, US). Blocking the IP will stop other malware on the server causing you a problem, you may even want to block 64.94.238.0/24 because this host is getting a pretty poor reputation.

The malware is at cooldcloud.com/search.php?page=73a07bcb51f4be71 hosted on 74.91.117.227 (Nuclear Fallout Enterprises... again). Blocking the IP is best as that will protect against other malware, although you may want to block more widely given the problems with this host.

The link redirects through a couple of legitimate hacked sites and ends up on hakkabout.com/search.php?page=73a07bcb51f4be71 on 96.126.117.251 (Linode, US). According to Wepawet, a subsequent download is attempted from kansamentos.com/forum/index.php?showtopic=192151 on 66.151.138.179 (Nuclear Fallout Enterprises, US). Blocking those two IPs is probably a good idea, although it isn't the first time that Linode or Nuclear Fallout Enterprises have hosted malware recently and it may not be the last.